Certain types of on-line services and applications are targets for hackers and other malicious individuals attempting to gain access to sensitive user information. This is particularly true for on-line financial applications such as Internet banking, on-line payment sites, and on-line brokerages. Common techniques used by hackers include the installation of viruses, Trojan horses, or spyware on a user's computer, phishing schemes where a user is tricked into accessing a fake website having the look and feel of the legitimate site, and man-in-the-middle attacks involving the interception of communication from the user's computer and an external server or device.
Various forms of authentication are used to provide security for on-line transactions. The forms of authentication are generally categorized in three classes: something the user is (e.g., a biometric such as a fingerprint), something the user has (e.g., a security token), and something the user knows (e.g., password). Security is strengthened by using multiple forms of authentication (referred to as “multi-factor” authentication) to verify the identity of a user.
Often when a user opens an account with a financial institution, the financial institution issues a smartcard (or a similar type of memory card) to enable the user to perform financial transactions. During a typical transaction made using a smartcard, the smartcard and smartcard reader perform a validation of one another. For example, the smartcard may verify that the smartcard reader is authorized to read the credential from the smartcard. In addition, the smartcard reader may verify that the smartcard contains the credential that the smartcard reader is authorized to read. The verification may involve the use of a public-private key pair where the public key is stored on the smartcard and the smartcard reader has access to the corresponding private key. In this case, the smartcard may require a smartcard reader to provide that it has the corresponding private key before the smartcard will release its credential to the reader.
In a conventional retail environment, provisions may be made to protect private keys stored in each smartcard reader. A high level of physical and data security may be implemented for each reader. For example, each reader may be provided with a tamper resistant and/or tamper evident housing. Additionally, smartcard readers may be continuously or periodically monitored.
However, the costs of providing such security for readers issued to individual users (e.g., to be associated with a user's personal computer) are prohibitive. Therefore, these user smartcard readers do not provide effective protection for private keys. Furthermore, a malicious user may tamper with a user smartcard reader to access and illicitly read smartcards in the proximity of the smartcard reader and conduct unauthorized transactions using these smartcards. Thus, the use of smartcards has been limited to traditional transactions (e.g., purchases at a brick and mortar retail store).
What is therefore needed are systems and methods for enabling a smartcard issued for traditional uses to be used for other verification purposes.
What is further needed are systems and methods for securely binding a smartcard to a smartcard reader through the use of credentials assigned to the smartcard.
The present invention will now be described with reference to the accompanying drawings. In the drawings, like reference numbers can indicate identical or functionally similar elements. Additionally, the left-most digit(s) of a reference number may identify the drawing in which the reference number first appears.